Microsoft Virtual Machine (VM) build 5.0.3805 and earlier allows remote attackers to determine a local user's username via a Java applet that accesses the user.dir system property, aka "User.dir Exposure Vulnerability."
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2002/ms02-069